Quantum cryptography with finite resources: unconditional security bound for 
discrete- variable protocols with one-way post-processing 
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We derive a bound for the security of QKD with finite resources under one-way post-processing, 
based on a definition of security that is composable and has an operational meaning. While our 
proof relies on the assumption of collective attacks, unconditional security follows immediately for 
standard protocols like Bennett-Brassard 1984 and six-states. For single-qubit implementations of 
such protocols, we find that the secret key rate becomes positive when at least N ~ 10 5 signals 
are exchanged and processed. For any other discrete-variable protocol, unconditional security can 
be obtained using the exponential de Finetti theorem, but the additional overhead leads to very 
pessimistic estimates. 



Introduction. Quantum cryptography, or more exactly 
quantum key distribution (QKD), allows to distribute a 
secure key between two authorized partners, Alice and 
Bob, connected by a quantum channel and a public au- 
thenticated classical channel [H, 0, Q • First proposed in 
1984 by Bennett and Brassard (BB84, @]) and in 1991 
by Ekert [f| , QKD is the first offspring of quantum infor- 
mation science to reach the level of applied physics and 
even commercial products. On the theoretical side, much 
effort has been devoted to derive rigorous bounds for se- 
curity. However, almost all the available security bounds 
hold true only if infinitely long keys are produced and 
processed. In contrast, a practical QKD scheme can only 
use finite resources — for instance, Alice and Bob have 
limited computational power, and they can only commu- 
nicate a finite number of (qu)bits, resulting in keys of 
finite length. 

The security of finite- length keys has been studied first 
in [f| and later in @, @] for the BB84 protocol, as well 
as in [§] for a larger class of protocols. The applicability 
of these results is, however, limited: Ref. Jp I considers 
only a restricted class of attacks; in Refs 0, U the un- 
derlying notion of security is not composable 10(, which 
means that the generated keys are not secure enough to 
be used in applications, e.g^ for encryption (more be- 
low). A more recent work [ll| . which focuses on a prac- 
tical implementation of BB84 and has already been used 
in an experiment [13] , uses a definition of security which 
is probably composable, although the issue is not dis- 
cussed. In this Letter, we provide a security bound for 
discrete- variable QKD protocols with finite resources and 
with respect to a composable security definition, based on 
the formalism developed by one of us [l3j]. As first case 
studies, we apply it to BB84 and to the six-states proto- 
col . HBj when implemented with single qubits. 

Definition of security. In the existing literature on 
QKD, not only the analysis, but also the very defini- 
tion of security is mostly limited to the asymptotic case; 
and we therefore need to revisit it here. Most gener- 



ally, the security of a key K can be parametrized by its 
deviation e from a perfect key, which is defined as a uni- 
formly distributed bit string whose value is completely 
independent of the adversary's knowledge. In an asymp- 
totic scenario, a key K of length I is commonly said to be 
secure if this deviation e tends to zero as i increases. In 
the non- asymptotic scenario studied here, however, the 
deviation e is always finite. This makes it necessary to 
attribute an operational interpretation to the parameter 
e. Only then it is possible to choose a meaningful secu- 
rity threshold (i.e., an upper bound for e) reflecting the 
level of security we are aiming at. Another practically 
relevant requirement that we need to take into account 
is composability of the security definition. Composability 
guarantees that a key generated by a QKD protocol can 
safely be used in applications, e.g., as a one-time-pad for 
message encryption. Although this requirement is obvi- 
ously crucial for practice, it is not met by most security 
definitions considered in the literature [l0(. 

In contrast to that, the results derived in this Letter 
are formulated in terms of a security definition that meets 
both requirements, i.e., it is composable and, in addition, 
the parameter e has an operational interpretation. The 
definition we use was proposed in any e > 0, 

a key K is said to be e-secure with respect to an adversary 
E if the joint state pke satisfies 
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\Pke -t k ® pe\ 



(1) 



where tk is the completely mixed state on K . The pa- 
rameter £ can be seen as the maximum probability that 
K differs from a perfect key (i.e., a fully random bit 
string) fl6j | . Equivalently, £ can be interpreted as the 
maximum failure probability, where failure means that 
"something went wrong", e.g., that an adversary might 
have gained some information on K. From this perspec- 
tive, it is also easy to understand why the definition is 
composable. In fact, the failure probability of any cryp- 
tosystem that uses a perfect secret key only increases by 
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(at most) e if the perfect key is replaced by an e-secure 
key. In particular, because one-time pad encryption with 
a perfect key has failure probability (the ciphertext 
gives zero information about the message) , it follows that 
one-time-pad encryption based on an e-secure key re- 
mains perfectly confidential, except with probability at 
most e. 

Protocol. A QKD protocol starts with the distribu- 
tion of quantum signals. In this Letter, we take an 
entanglement-based view, that is, after this distribution 
step, Alice and Bob share N (entangled) particle pairs, 
whose joint state we denote by Pa n b n ■ Next, Alice and 
Bob apply individual measurements to their particles to 
get classical data. For definiteness, we focus on protocols 
that use two-dimensional quantum systems (qubits) and 
von Neumann measurements, resulting in N correlated 
pairs of bits. Then, in a parameter estimation step, Alice 
and Bob reveal a random sample consisting of m of these 
pairs (using a public communication channel) which al- 
lows them to estimate the statistics A/ a m of their data, 
i.e., the relative frequency of the symbols. The protocol 
may also specify a sifting phase, in which some items are 
discarded. 

At this stage, both Alice and Bob hold a string of 
n < N — m bits, called raw key, denoted by X n and 
Y n , respectively. These raw keys are generally only par- 
tially correlated and only partially secret. But — and this 
is where quantum physics plays a role — the maximum in- 
formation that an eavesdropper Eve might have gained 
during the protocol, in the following denoted E n , can be 
computed solely from the statistics A( 0j j,). This allows 
Alice and Bob to transform the raw key pair into a fully 
secure key K of length £ < n, using some purely classical 
procedure, in the following called post-processing. In this 
Letter, we focus on one-way post-processing consisting 
of two steps, called error correction (also known as in- 
formation reconciliation) and privacy amplification. For 
the error correction, Alice sends some information on her 
raw key X n over the public channel, allowing Bob, who 
already knows Y n , to compute a guess for X n . Finally, 
privacy amplification is applied to turn X n into a fully 
secure key K. This is typically done by two-universal 
hashing [24j |. 

Asymptotic analysis. The one-way protocol described 
above has been studied extensively over the past few 
years, mostly in an asymptotic scenario where the size 
of the raw key tends to infinity. In this case, a commonly 
used figure of merit is the sifted key rate r' , defined as 
the ratio r' := linin^oo between the number £(n) of 
generated key bits and the size n of the raw key. Devetak 
and Winter [18| have proved that, under the assumption 
of collective attacks (see below) , 



systems are classical as in H(X\Y), von Neumann en- 
tropy becomes Shannon entropy. The expression says 
that the sifted key rate r' is equal to the uncertainty 
that Eve has on the raw key bits X , minus Bob's uncer- 
tainty: a very intuitive statement after all. Multiplying 
the sifted key rate r' with the ratio -8* of raw key bits 
per signal gives the key rate per signal r, which is an 
indicator for the asymptotic performance of the overall 
protocol. For many schemes, the ratio can be chosen 
arbitrarily close to one for sufficiently large N, because a 
small fraction m << ./V of signals provides a sufficiently 
accurate parameter estimation; in this case, the key rate 
per signal r and the sifted key rate r' are asymptotically 
equal. 

Non-asymptotic analysis. When the number N of 
exchanged quantum signals is finite, the above consid- 
erations are no longer sufficient. For example, since 
n + m < N, one has to find a trade-off between the length 
of the raw key n and the precision of parameter estima- 
tion, which depends on the sample size m. Imperfect 
parameter estimation is however not the only deviation 
from the asymptotic case. The performance of an error 
correction procedure EC might — and actually does in 
practical realizations — perform worse than the theoret- 
ical limit. For our security analysis, the main charac- 
teristics of EC are the number of bits that need to be 
transmitted over the public channel (carrying informa- 
tion on X n ), in the following denoted leaksc, and the 
error probability £eCi i-e., the probability that Bob com- 
putes a wrong guess for X n . Finally, as discussed above, 
the security of a key generated from finite resources is 
always finite: the length of the extractable secret key 
depends on the desired security e of the final key. 

Our goal is to find the generalization of @ for QKD 
with finite resources, and to use it to compute r for given 
(N, e, leakEc, £ec) after optimizing over the choices of 
other possible parameters. The analysis will be based on 
the tools developed in (l3| ]. It particular, it relies on a 
generalization of the von Neumann entropy 25], called 



r' = H(X\E) - H(X\Y) 



(2) 



where H(.\.) is the conditional von Neumann entropy, 
evaluated after the sifting step — note that, when both 



smooth min- entropy. For any bipartite density operator 
Pab and e > 0, the smooth min-entropy H^ n (A\B) is 
defined as the maximum, taken over all density operators 
Pab that are e-close to pab, of the quantity 

H min (A\B) := -log 2 min{A>0: 3a B : Pab < A idlers} 

where id^ denotes the identity operator on subspace A 
and as is any density operator on subspace B. The sig- 
nificance of the smooth min-entropy stems from the fact 
that it characterizes the number of uniform bits that can 
be extracted by privacy amplification. 

As a starting point, a formula for the number of final 
key bits I can be obtained as a straightforward general- 
ization of Lemma 6.4.1 in [l^ : 

Lemma 1. The key agreement protocol described above 
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generates an e-secure key if, for some s > 0, 
i < H^(X n \E n ) - leakEc - 2 log 2 2{e J_ EEC 



(3) 



Lemma [T] shows explicitly the two-step nature of one- 
way post-processing: for error correction, Alice has to 
send a bit string C of length leak EC to Bob over the public 
channel, hence, reducing Eve's uncertainty by the same 
amount. Privacy amplification then extracts a key whose 
length roughly corresponds to Eve's uncertainty after 
error correction, which is given by H^ nin (X n \CE n ) > 

i^ in (X"|£")-ieak EC & 

To go further, we have to evaluate the smooth min- 
cntropy H^ nin (X n \E n ). This evaluation is easy in the 
case of collective attacks, i.e., under the assumption that 
Alice and Bob (in an entanglement-based view) initially 
share a state of the form Pa n b n — (°~ab)® N with o~ ab 
a two-qubit state. Indeed, in this case one can also as- 
sume px^E" — (cIe) 8 ™ without loss of generality, since 
all purifications of pab are equivalent under a local uni- 
tary operation by Eve, and there exists clearly a purifica- 
tion with that property. However, the statistics X( a ,b) ac- 
quired during parameter estimation generally only gives a 
partial characterization of ct X e- Lemma[2]below [27| pro- 
vides a lower bound on H^ nin (X n \E n ), given that a x ^ i s 
contained in a set T compatible with the statistics Xt a M, 
except with probability e' . 

Lemma 2. For any e > e' , the smooth min- entropy of 
the state px n E n described above is lower bounded by 



H^ n (X n \E n ) > n[ 



min H{X\E)-5) (4) 



where 5 := 7 



log 2 (2/(g-e')) 



The description of the set of states T takes into account 
the fact that the parameter estimation has been made 
on a sample of finite size m. A quantitative version of 
the law of large numbers (see e.g. Theorem 12.2.1 and 
Lemma 12.6.1 in [23]) yields the following statement: 

Lemma 3. // the statistics X m are obtained by measure- 
ments of m samples of a according to a POVM with d 
outcomes then, for any e' > 0, a is contained in the set 



\\K 



Ao»|| 



21n(l/e')+rf ln(m+l) 



except with probability e ' , where Aoo (cr) denotes the prob- 
ability distribution defined by the POVM applied to a. 

The three Lemmas together yield the desired general- 
ization of ([2]): 

r' = H £ (X\E) - (leak EC + A)/n (5) 

with H^(X\E) = min^^ i^lE 1 ) and A = 

2 log 2 l/[2(e - i - eeg)] + 7 V"log 2 (2/ (£-£')). We re- 
call that (N, e, leakEC, £ec) are parameters of the proto- 
col implementation, while n, m, e and e' must be cho- 
sen as to maximize r — (n/N)r' under the constraints 
n + m < N and e — £ec > £ > £ ' > 0. 



In general, ([5]) is valid only for collective attacks be- 
cause of the estimate (gj of H^ in (X n \E n ). However, it 
has been proved that the assumption of collective attacks 
can be made without loss of generality for the BB84 and 
the six-states protocols 0,0 (see open issues for the 
discussion of a more general approach based on the ex- 
ponential de Finetti theorem [lj, Hl[). To illustrate the 
bound |5]) , we move on to derive the explicit expressions 
of Hz(X\E). 

BB84- We consider an asymmetric version of BB84 
[22| : the key is obtained from measurements in one basis 
Bo chosen both by Alice and Bob with probability po; the 
complementary basis B\, chosen with probability p\ = 
1 — po is used for parameter estimation. So n = Np^ and 
m = Npl, while 2Np p\ signals are discarded in sifting. 
The computation of Hc(X\E) can be done in full along 
the usual lines, see e.g. Appendix A of More directly, 
notice that, in this term, the only finite-key effect is the 
imperfection of the statistics. Knowing the asymptotic 
value H(X\E) = 1 — h(ei) where ei is the error rate in 
the basis B\ (phase error), it is obvious that the worst- 
case estimate of \t a ,b) = e i is ei = ei + £(m, d = 2) 
because the POVM has two outcomes (same vs different 
bits). Therefore 



H 6 (X\E) = l-ft(ei). 



(6) 



Six-states. We consider an asymmetric version of the 
six-states protocol: the key is obtained from measure- 
ments in one basis Bo chosen both by Alice and Bob 
with probability po', the complementary bases B\ and 



Bi, chosen with equal probability q = 



p-, are used 

for parameter estimation. Sifting yields n = Np^ and 
mi = m-2 = Nq 2 while the remaining signals are dis- 
carded. Similarly as above, the asymptotic formula (for 
ex = e 2 , a case that minimizes it) can be immediately 
translated into 



H C (X\E) = (l-e ) 



1 - ei - ip/2 
1 - e 



(7) 



with e"i = ei + £(toi, d = 2) and e = e + £(n, d = 2), 
because e n is estimated on the n bits of the raw key. 

Plots. For an a priori estimate of our bounds, we 
have supposed as usual that parameter estimation yields 
eo = ei = Q; imperfect EC has been characterized by 
leakEc/^ = 1.2h(Q) and _£pc = 10~ 10 based on the per- 
formances of real codes [281 ] . The optimization was done 
numerically; in particular, the optimal value of p\ was 
found to be approximately ■^(N/No)~ 1 / 4 , No being the 
smallest N such that r > and rib — 2 for BB84 and 3 for 
six-states. The results are shown in Fig. [TJ The slight 
difference between the two protocols is due to the fact 
that six-states estimates more parameters than BB84: 
the rates are in principle higher because the bound on 
Eve's information is tighter, but, for short keys, more 
signals must be devoted to the estimation. These plots 
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FIG. 1: (color online) Lower bound for the key rate r as 
a function of the number of exchanged quantum signals N, 
for the BB84 (full lines) and the six-states protocol (dashed 
lines); values: e = 10~ 5 , sec = 10~ 10 , leak.Ec/n = 1.2h(Q), 
and several Q = eo = ei. 



do not depend very critically on the value e\ in particular, 
even for e > 10 -2 our bounds are tighter than those com- 
puted in |9| for a limited class of attacks on the six-states 
protocol. 

Open issues. — We point out two directions for future 
work. First: The results we have presented here are not 
necessarily tight: better estimates might lead to more 
optimistic bounds on the security. Lemmas HH3] can be 
shown to be optimal up to an additive term of the order 
logl/e. So basically there is room for improvement only 
in the performance of error correction schemes. Second: 
Formula ([5]) has been derived under the assumption of 
collective attacks and provides full security for the BB84 
and the six-states protocols only thanks to specific sym- 
metries To get a fully general statement, one 
might invoke a quantum version of dc Finetti's represen- 
tation theorem as proposed in 21[ , which, in the asymp- 
totic case, implies that security against general attacks 
follows from security against collective attacks. This 
technique, however, gives rise to additional deviations 
(see Theorem 6.5.1 of [l3| for explicit formulae) which 
are significant in a non-asymptotic scenario and lead to 
very pessimistic bounds. To improve them, a tighter vari- 
ant of de Finetti's theorem, or some new ideas, might be 
required. 
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